Room for Improvement: CVE-2024-42219

dude1234
dude1234
Community Member
in Mac

Frankly, this deserves a blog post and email distribution of its own so most normal users can be aware rather than discovering it in some buried support kb post brought to our attention on a third-party site.

Agilebits & 1Password really ought to be better in instances like this.

Comments

  • Swerve
    Swerve
    Community Member

    I too only figured out about this vulnerability through a third-party site (Forbes). But that's only because 1Password did not initially put it in their release notes (it's there now).

    And that delay did lead to some users wondering if it is related to the recent issue in 1Password 8.10.38 which resets people's settings: Example 1, Example 2. As far as I'm aware, they are not related, since CVE-2024-42219 was fixed in version 8.10.36 (for the Mac only).

    I don't think a blog post or email is necessary to disclose the vulnerabilty. Heck, the 1Password blog is mostly filled with B2B advertising and SEO spam these days, anyway. It's difficult to find anything useful there for regular users.

    I was going to suggest a dedicated portion of the 1Password site where fixed CVE's are listed and described (linked to from the relevant release notes, of course). But after some digging, I figured out it already exists. It's just not discoverable:

    https://support.1password.com/kb/

    In all my years of using 1Password, I never knew that page existed. I only found it today by manually editing the URL of the page where the vulnerability is described.

  • Damnatus
    Damnatus
    Community Member
    edited August 11

    There has been updates!

    First: another fixed vulnerability in 8.10.38 that could have allowed a downgrade attack by deploying earlier, vulnerable versions of 1Password: CVE-2024-42218, https://support.1password.com/kb/202408/
    (now also added in the Release Notes).

    And second: a blog post that talks about all six (!) vulnerabilities that have been discovered by the Robinhood Red Team and were presented at DEF CON 2024: https://blog.1password.com/august-2024-security-update/

    Also: The linked support articles also now mention if 1Password 7 is vulnerable. It is not for CVE-2024-42218 and CVE-2024-42219. But it is susceptible to Native Message Host (NMH) spoofing via browser impersonation, which affects all software using NMH, due to protocol limitations that do not allow for browser authentication.

    I recommend read the blog post as I have given only a brief summary.

  • Pleonasm
    Pleonasm
    Community Member

    The DEF CON presentation, describing the vulnerabilities, is available here.